The phenomenal growth of the Internet of Things (IoT) has resulted in an incredibly large, never seen before, network of connected people and devices collecting, sharing and processing data. Securing this information and the relatively new systems through which it is processed is an ongoing challenge for technology and security professionals, seeing a growth in the principal of Secure by Design (more on that later!). It’s widely accepted that having security built in to systems and software now forms a central part of security best practice, and as a result better secures users and the organisations they work for. But, that doesn’t mean there are the necessary standards in place to ensure that this area of our personal and professional lives are well protected.
There is clearly a need for a set of standards or a code of practice (CoP) to govern the IoT both in the consumer and business worlds. The challenge with this though is the question of who should be in charge of, advocate, create and roll out a new set of standards or CoP. There is no getting away from the reality of the scale of such a task, and to do it properly and for it to have credibility it is likely that it should fall to Government or well established industry and consumer groups. The UK Government have taken several positive steps towards a set of standards in publishing the Code of Practice for Consumer IoT Security in October 2018, as well as publishing its policy response to regulating consumer smart product cyber security in April 2021. Most recently Government has published research detailing cyber security issues in internet-connected devices used by businesses and organisations, furthering the conversation around securing the IoT.
One of the significant issues is the multitude of languages, protocols and standards as well as the lack of agreement on which of these works best for the complex layers of the IoT. Currently there is quite a burden on consumers and end users for securing IoT/smart devices, now with the knowledge and capability to do this sitting within the manufacturers there is a strong argument for this security burden to sit mostly with them. Considering the varying, and often changing, advice on authentication, how to keep devices updated etc as well as how fast new devices are added to the IoT, consumers are arguably not best placed to keep this part of their lives as secure as it needs to be.
A central part to addressing this challenge is ensuring that devices and systems are Secure by Design, which would ensure minimum security levels are inherent in all devices. Those working on these challenges will of course look at what they can learn from the data around how IoT has grown since Kevin Ashton first used the term ‘Internet of things’ in 1999 and when IoT was presented to the consumer market in 2014. With over 18 billion connected devices making up the IoT by the end of 2022 according to Ericsson, the effect on security and privacy due to such proliferation was seen early on in the life of the IoT with the Mirai Dyn attack in 2016. This attack leveraged the scale of connected devices to bring down the servers at Dyn, taking many high profile websites offline. We must learn from history to be risk focussed when building security by design into products.
Secure by Design for connected devices needs to be pragmatic to be cost effective and market relevant, it’s not realistic to expect all security risks to be mitigated in the design and build of products, there has to be some proportional expectation and responsibility with the end user. It is possible that the race to capitalise on the IoT market opportunity overshadows the lack of focus on security and data risks in the very devices that make the IoT possible. Securing the IoT and embedding Secure by Design is a global challenge so cannot be addressed in isolation by one country or Government. Further to this, consideration must be given to a number of important evolving questions such as:
- What regional & international laws or regulations for safety, security etc are needed over and above DPA, GDPR and local equivalents?
- Artificial Intelligence is here, are there further considerations in relation to it?
- How can block chain and machine learning be combined with IoT as more powerful tools against the security challenge?
Right now, there are no hard and fast answers, but to ignore the questions will only add to the challenge in the coming years.
Further to the challenge in the consumer IoT, there are common but specific security challenges in the IoT for industries. The Industrial IoT (IIoT) is used for the automation of industrial processes and to increase efficiencies. Secure by design cannot be restricted to technical security within industry, and there must be consideration given to whether the Secure by Design agenda covers such areas as resilience within devices and systems to support business continuity and incident response & recovery.
What we must accept and respond to in our work is that there is a new and fast growing attack surface presented by the IoT both in the consumer and industrial markets. If you are concerned about how this could put your organisation at risk our team of consultants are on hand to help you with assessing your security position and providing guidance on how to build your security position.